
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@wipcomputer/wip-release
Advanced tools
One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.
You ship a fix. Now you have to bump package.json, update CHANGELOG.md, sync the version in SKILL.md, commit, tag, push, publish to npm, publish to GitHub Packages, and create a GitHub release. Every time. Miss a step and versions drift.
wip-release does all of it in one command. It also checks that product docs (dev update, roadmap, readme-first) are up to date before publishing. Patches get a warning. Minor and major releases are blocked until docs are updated.
Open your AI coding tool and say:
Read the REFERENCE.md and SKILL.md at github.com/wipcomputer/wip-release.
Then explain to me:
1. What is this tool?
2. What does it do?
3. What would it change or fix in our current release process?
Then ask me:
- Do you have more questions?
- Do you want to integrate it into our system?
- Do you want to clone it (use as-is) or fork it (so you can contribute back if you find bugs)?
Your agent will read the repo, explain the tool, and walk you through integration interactively.
Also see wip-file-guard ... the lock for the repo. Blocks AI agents from overwriting your critical files.
See REFERENCE.md for full usage, pipeline steps, flags, auth, and module API.
CLI, MCP server, skills MIT (use anywhere, no restrictions)
Hosted or cloud service use AGPL (network service distribution)
AGPL for personal use is free.
Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).
FAQs
One-command release pipeline. Bumps version, updates changelog + SKILL.md, publishes to npm + GitHub.
The npm package @wipcomputer/wip-release receives a total of 292 weekly downloads. As such, @wipcomputer/wip-release popularity was classified as not popular.
We found that @wipcomputer/wip-release demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.